CVE-2013-3918
published 2013-11-12CVE-2013-3918: The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
73.87%
99.4th percentile
The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x64\xa1\x18\x00\x00\x00\x83\xC0\x08\x8b\x20\x81\xC4\x30\xF8\xFF\xFF
- →Detect exploitation attempts by monitoring for instantiation of the InformationCardSigninHelper ActiveX control (CLSID {19916E01-B44E-4E31-94A4-4696DF46157B}) via Internet Explorer, particularly calls to the 'requiredClaims' method. ↗
- →Monitor for VBScript patterns that call .remove() on an empty CardSpaceClaimCollection object in a loop to trigger integer underflow, followed by .add() — a hallmark of the in-the-wild exploit technique. ↗
- →Look for heap-spray patterns in VBScript creating large arrays of HTML OBJECT elements (~5493 elements) with deliberate holes (nulling every other element starting at index 4093), consistent with the in-the-wild exploitation technique. ↗
- →Set a kill bit for CLSID {19916E01-B44E-4E31-94A4-4696DF46157B} (icardie.dll InformationCardSigninHelper) to prevent instantiation; monitor registry for its removal as an indicator of tampering. ↗
- →Monitor icardie.dll for the underflow instruction at offset CCardSpaceClaimCollection::remove+0xa0 (opcode ff 4e 08 — dec dword ptr [esi+8]) being hit with a zero-length collection as a breakpoint/EDR telemetry signal. ↗
- ·The Metasploit module targets specifically Windows XP with IE 8 (x86); the ROP gadget addresses (0x77c20433, 0x77c15ed5) are hardcoded for msvcrt on that platform and will not apply to other OS/IE versions. ↗
- ·The vulnerability affects a broad range of Windows versions (XP through RT 8.1); detection rules scoped only to XP/IE8 will miss exploitation attempts on newer platforms. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Out-of-Bounds Write Vulnerability
cisa·2025-10-06·CVSS 8.8
CVE-2013-3918 [HIGH] Microsoft Windows Out-of-Bounds Write Vulnerability
Vulnerability: Microsoft Windows Out-of-Bounds Write Vulnerability
Affected: Microsoft Windows
Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigat
GHSA
GHSA-7627-vgq8-rcjv: The InformationCardSigninHelper Class ActiveX control in icardie
ghsa_unreviewed·2022-05-14
CVE-2013-3918 [HIGH] CWE-119 GHSA-7627-vgq8-rcjv: The InformationCardSigninHelper Class ActiveX control in icardie
The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."
VulnCheck
Microsoft Windows Out-of-Bounds Write Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-3918 [HIGH] Microsoft Windows Out-of-Bounds Write Vulnerability
Microsoft Windows Out-of-Bounds Write Vulnerability
Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unava
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090) (Metasploit)
exploitdb·2013-11-27
CVE-2013-3918 Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090) (Metasploit)
Microsoft Internet Explorer - CardSpaceClaimCollection ActiveX Integer Underflow (MS13-090) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow",
'Description' => %q{
This module exploits a vulnerability on the CardSpaceClaimCollection class from the
icardie.dll ActiveX control. The vulnerability exists while the handling of the
CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of
elements on a SafeArray and keeps a size field, counting the number of elements on the
collection. By calling the remove() method on an empty CardSpaceClaimCollection it is
possible to
Metasploit
MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow
metasploit
MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow
MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow
This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as
Talos
Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
blogs_talos·2014-02-11·CVSS 9.3
[CRITICAL] Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
The Microsoft Updates are pretty significant this month. Internet Explorer, which was missing from the updates for the first time in a long time last month is back with a whopping 24 vulnerabilities. Besides the IE bulletin, there’s six more bulletins, 4 of which are rated critical and 3 of which are rated important. All-in-all, this Update Tuesday provides fixes for 32 CVEs. The list of bulletins below is ordered by rating rather than number (i.e., the same ordering as used here: https://technet.microsoft.com/en-us/security/bulletin/ms14-feb).
The first bulletin, MS14-010, deals with IE and is rated critical and provides fixes for 24 CVEs. As is usual, most of the vulnerabilities are the result of use-after-free vulnerabilities. Most of the vulnerabilities were reported privately to Micr
Talos
Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
blogs_talos·2014-02-11·CVSS 9.3
[CRITICAL] Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
## Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
The Microsoft Updates are pretty significant this month. Internet Explorer, which was missing from the updates for the first time in a long time last month is back with a whopping 24 vulnerabilities. Besides the IE bulletin, there’s six more bulletins, 4 of which are rated critical and 3 of which are rated important. All-in-all, this Update Tuesday provides fixes for 32 CVEs. The list of bulletins below is ordered by rating rather than number (i.e., the same ordering as used here: https://technet.microsoft.com/en-us/security/bulletin/ms14-feb).
The first bulletin, MS14-010 , deals with IE and is rated critical and provides fixes for 24 CVEs. As is usual, most of the vulnerabilities are the result of use-after-free
Talos
Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day
blogs_talos·2013-11-13·CVSS 7.9
[HIGH] Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day
## Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day
We have a relatively light Update Tuesday this month: 8 bulletins covering 19 CVEs, 3 of which are marked critical. The most interesting vulnerability this month is actually in the non-critical ones: a vulnerability in Hyper-V ( MS13-092 ). We’re also getting a fix for a 0-day vulnerability in ActiveX ( MS13-090 ).
As always there’s the requisite critical IE bulletin ( MS13-088 ), this time covering ten CVEs. The vulnerabilities span the range of IE releases from 6-11 and cover the usual suspects of use-after-free and information disclosure vulnerabilities.
The next critical bulletin ( MS13-089 ) is for the Windows Graphical Device Interface (GDI), where a malicious embedded BMP can result in remote code ex
Talos
Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day
blogs_talos·2013-11-13·CVSS 7.9
[HIGH] Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day
We have a relatively light Update Tuesday this month: 8 bulletins covering 19 CVEs, 3 of which are marked critical. The most interesting vulnerability this month is actually in the non-critical ones: a vulnerability in Hyper-V (MS13-092). We’re also getting a fix for a 0-day vulnerability in ActiveX (MS13-090).
As always there’s the requisite critical IE bulletin (MS13-088), this time covering ten CVEs. The vulnerabilities span the range of IE releases from 6-11 and cover the usual suspects of use-after-free and information disclosure vulnerabilities.
The next critical bulletin (MS13-089) is for the Windows Graphical Device Interface (GDI), where a malicious embedded BMP can result in remote code execution (CVE-2013-3940). The likely attack vector for this vulnerability would be a WordPa
Zscaler
Zscaler found Multiple Security Vulnerabilities | 11-12-2013
blogs_zscaler·CVSS 4.3
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 11-12-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler found Zero-day Security Vulnerabilities | 11-11-2013
blogs_zscaler
Zscaler found Zero-day Security Vulnerabilities | 11-11-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspxhttp://www.darkreading.com/vulnerability/new-ie-vulnerability-found-in-the-wild-s/240163814/http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.htmlhttp://www.us-cert.gov/ncas/alerts/TA13-317Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090https://isc.sans.edu/forums/diary/16985https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19089http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspxhttp://www.darkreading.com/vulnerability/new-ie-vulnerability-found-in-the-wild-s/240163814/http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.htmlhttp://www.us-cert.gov/ncas/alerts/TA13-317Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090https://isc.sans.edu/forums/diary/16985https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19089https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3918https://www.microsoft.com/en-us/msrc/blog/2013/11/technical-details-of-the-targeted-attack-using-ie-vulnerability-cve-2013-3918/
2013-11-12
Published
2025-10-06
Added to CISA KEV
Exploited in the wild